Force user to provide old password in order to change it

Dmitriy Zaporozhets
1 parent 0630be38
Showing 4 changed files with 59 additions and 19 deletions Show diff stats
app/controllers/profiles_controller.rb
app/views/profiles/account.html.haml
features/profile/profile.feature
features/steps/profile/profile.rb
@@ -33,7 +33,14 @@ class ProfilesController &lt; ApplicationController
   end
  
   def update_password
-    params[:user].reject!{ |k, v| k != "password" && k != "password_confirmation"}
+    params[:user].select! do |key, value|
+      %w(current_password password password_confirmation).include?(key.to_s)
+    end
+
+    unless @user.valid_password?(params[:user][:current_password])
+      redirect_to account_profile_path, alert: 'You must provide a valid current password'
+      return
+    end
  
     if @user.update_attributes(params[:user])
       flash[:notice] = "Password was successfully updated. Please login with it"
@@ -57,24 +57,33 @@
       .tab-pane#tab-password
         %fieldset.update-password
           %legend Password
-          = form_for @user, url: update_password_profile_path, method: :put do |f|
-            %div
-              %p.slead After a successful password update you will be redirected to login page where you should login with your new password
-              -if @user.errors.any?
-                .alert.alert-error
-                  %ul
-                    - @user.errors.full_messages.each do |msg|
-                      %li= msg
-              .control-group
-                = f.label :password
-                .controls= f.password_field :password, required: true
-              .control-group
-                = f.label :password_confirmation
-                .controls
-                  = f.password_field :password_confirmation, required: true
-              .control-group
-                .controls
-                  = f.submit 'Save password', class: "btn btn-save"
+          - if current_user.ldap_user?
+            %h3.nothing_here_message Not available for LDAP user
+          - else
+            = form_for @user, url: update_password_profile_path, method: :put do |f|
+              %div
+                %p.slead
+                  You must provide current password in order to change it.
+                  %br
+                  After a successful password update you will be redirected to login page where you should login with your new password
+                -if @user.errors.any?
+                  .alert.alert-error
+                    %ul
+                      - @user.errors.full_messages.each do |msg|
+                        %li= msg
+                .control-group
+                  = f.label :current_password, class: 'cgreen'
+                  .controls= f.password_field :current_password, required: true
+                .control-group
+                  = f.label :password, 'New password'
+                  .controls= f.password_field :password, required: true
+                .control-group
+                  = f.label :password_confirmation
+                  .controls
+                    = f.password_field :password_confirmation, required: true
+                .control-group
+                  .controls
+                    = f.submit 'Save password', class: "btn btn-save"
  
       - if show_profile_social_tab?
         .tab-pane#tab-social
@@ -11,6 +11,12 @@ Feature: Profile
     Then I change my contact info
     And I should see new contact info
  
+  Scenario: I change my password without old one
+    Given I visit profile account page
+    When I try change my password w/o old one
+    Then I should see a missing password error message
+    And I should be redirected to account page
+
   Scenario: I change my password
     Given I visit profile account page
     Then I change my password
@@ -22,8 +22,17 @@ class Profile &lt; Spinach::FeatureSteps
     @user.twitter.should == 'testtwitter'
   end
  
+  step 'I try change my password w/o old one' do
+    within '.update-password' do
+      fill_in "user_password", with: "222333"
+      fill_in "user_password_confirmation", with: "222333"
+      click_button "Save"
+    end
+  end
+
   step 'I change my password' do
     within '.update-password' do
+      fill_in "user_current_password", with: "123456"
       fill_in "user_password", with: "222333"
       fill_in "user_password_confirmation", with: "222333"
       click_button "Save"
@@ -32,12 +41,17 @@ class Profile &lt; Spinach::FeatureSteps
  
   step 'I unsuccessfully change my password' do
     within '.update-password' do
+      fill_in "user_current_password", with: "123456"
       fill_in "user_password", with: "password"
       fill_in "user_password_confirmation", with: "confirmation"
       click_button "Save"
     end
   end
  
+  step "I should see a missing password error message" do
+    page.should have_content "You must provide a valid current password"
+  end
+
   step "I should see a password error message" do
     page.should have_content "Password doesn't match confirmation"
   end
@@ -110,6 +124,10 @@ class Profile &lt; Spinach::FeatureSteps
     current_path.should == new_user_session_path
   end
  
+  step 'I should be redirected to account page' do
+    current_path.should == account_profile_path
+  end
+
   step 'I click on my profile picture' do
     click_link 'profile-pic'
   end
...	...	@@ -33,7 +33,14 @@ class ProfilesController < ApplicationController
33	33	end
34	34
35	35	def update_password
36		- params[:user].reject!{ \|k, v\| k != "password" && k != "password_confirmation"}
	36	+ params[:user].select! do \|key, value\|
	37	+ %w(current_password password password_confirmation).include?(key.to_s)
	38	+ end
	39	+
	40	+ unless @user.valid_password?(params[:user][:current_password])
	41	+ redirect_to account_profile_path, alert: 'You must provide a valid current password'
	42	+ return
	43	+ end
37	44
38	45	if @user.update_attributes(params[:user])
39	46	flash[:notice] = "Password was successfully updated. Please login with it"
...	...
...	...	@@ -57,24 +57,33 @@
57	57	.tab-pane#tab-password
58	58	%fieldset.update-password
59	59	%legend Password
60		- = form_for @user, url: update_password_profile_path, method: :put do \|f\|
61		- %div
62		- %p.slead After a successful password update you will be redirected to login page where you should login with your new password
63		- -if @user.errors.any?
64		- .alert.alert-error
65		- %ul
66		- - @user.errors.full_messages.each do \|msg\|
67		- %li= msg
68		- .control-group
69		- = f.label :password
70		- .controls= f.password_field :password, required: true
71		- .control-group
72		- = f.label :password_confirmation
73		- .controls
74		- = f.password_field :password_confirmation, required: true
75		- .control-group
76		- .controls
77		- = f.submit 'Save password', class: "btn btn-save"
	60	+ - if current_user.ldap_user?
	61	+ %h3.nothing_here_message Not available for LDAP user
	62	+ - else
	63	+ = form_for @user, url: update_password_profile_path, method: :put do \|f\|
	64	+ %div
	65	+ %p.slead
	66	+ You must provide current password in order to change it.
	67	+ %br
	68	+ After a successful password update you will be redirected to login page where you should login with your new password
	69	+ -if @user.errors.any?
	70	+ .alert.alert-error
	71	+ %ul
	72	+ - @user.errors.full_messages.each do \|msg\|
	73	+ %li= msg
	74	+ .control-group
	75	+ = f.label :current_password, class: 'cgreen'
	76	+ .controls= f.password_field :current_password, required: true
	77	+ .control-group
	78	+ = f.label :password, 'New password'
	79	+ .controls= f.password_field :password, required: true
	80	+ .control-group
	81	+ = f.label :password_confirmation
	82	+ .controls
	83	+ = f.password_field :password_confirmation, required: true
	84	+ .control-group
	85	+ .controls
	86	+ = f.submit 'Save password', class: "btn btn-save"
78	87
79	88	- if show_profile_social_tab?
80	89	.tab-pane#tab-social
...	...
...	...	@@ -11,6 +11,12 @@ Feature: Profile
11	11	Then I change my contact info
12	12	And I should see new contact info
13	13
	14	+ Scenario: I change my password without old one
	15	+ Given I visit profile account page
	16	+ When I try change my password w/o old one
	17	+ Then I should see a missing password error message
	18	+ And I should be redirected to account page
	19	+
14	20	Scenario: I change my password
15	21	Given I visit profile account page
16	22	Then I change my password
...	...
...	...	@@ -22,8 +22,17 @@ class Profile < Spinach::FeatureSteps
22	22	@user.twitter.should == 'testtwitter'
23	23	end
24	24
	25	+ step 'I try change my password w/o old one' do
	26	+ within '.update-password' do
	27	+ fill_in "user_password", with: "222333"
	28	+ fill_in "user_password_confirmation", with: "222333"
	29	+ click_button "Save"
	30	+ end
	31	+ end
	32	+
25	33	step 'I change my password' do
26	34	within '.update-password' do
	35	+ fill_in "user_current_password", with: "123456"
27	36	fill_in "user_password", with: "222333"
28	37	fill_in "user_password_confirmation", with: "222333"
29	38	click_button "Save"
...	...	@@ -32,12 +41,17 @@ class Profile < Spinach::FeatureSteps
32	41
33	42	step 'I unsuccessfully change my password' do
34	43	within '.update-password' do
	44	+ fill_in "user_current_password", with: "123456"
35	45	fill_in "user_password", with: "password"
36	46	fill_in "user_password_confirmation", with: "confirmation"
37	47	click_button "Save"
38	48	end
39	49	end
40	50
	51	+ step "I should see a missing password error message" do
	52	+ page.should have_content "You must provide a valid current password"
	53	+ end
	54	+
41	55	step "I should see a password error message" do
42	56	page.should have_content "Password doesn't match confirmation"
43	57	end
...	...	@@ -110,6 +124,10 @@ class Profile < Spinach::FeatureSteps
110	124	current_path.should == new_user_session_path
111	125	end
112	126
	127	+ step 'I should be redirected to account page' do
	128	+ current_path.should == account_profile_path
	129	+ end
	130	+
113	131	step 'I click on my profile picture' do
114	132	click_link 'profile-pic'
115	133	end
...	...